WHITEPAPER

Introduction

As digital transformation continues to pervade federal government, ServiceNow has emerged as a compelling platform that enables agencies to improve service delivery, streamline operations and further increase automation. However, along with the numerous benefits it does offer, any decision to implement ServiceNow comes with important data management and security considerations that must be addressed so that legislation and regulations pertaining to data and information management are adhered to by an agency implementing ServiceNow.
The intent of this whitepaper is to provide guidance to Australian government agencies on how to ensure compliance with data legislation when implementing ServiceNow. The whitepaper will outline key data legislation that applies to agencies and provide guidance on how to implement ServiceNow with these in mind. It will explore various aspects of data governance, information management, and security controls, as well as discuss roles and responsibilities around data stewardship.
By following the recommendations outlined in this whitepaper, agencies can ensure that their ServiceNow implementation meets any applicable legislative and regulatory requirements and maintains both the security and privacy of sensitive data. This whitepaper aims to champion a proactive approach to compliance by providing insights and leading practices for agencies to consider throughout the ServiceNow implementation process and beyond. This will ultimately help to promote a culture of compliance, ensuring that the confidentiality, integrity, and availability of sensitive information is upheld and ultimately data within government ServiceNow deployments remains secure.

Data Governance

Data governance is the process by which organisations manage their data to ensure its availability, usability, integrity, and security. In support of data governance, ServiceNow offers a range of features and tools to help manage sensitive information securely. It provides robust access controls, data encryption, and other security measures to protect sensitive information from unauthorised access or disclosure. ServiceNow also complies with a range of international security standards, including ISO 27001 and SOC 2, and has been independently assessed (IRAP) to operate at both OFFICIAL and PROTECTED within Australia for government workloads.
In the context of federal government agencies, data governance is of prime importance since these agencies often handle sensitive data. This could range from medical and scientific research data right through to data maintained in support of national security initiatives.
Some key principles of data governance that government agencies are required and expected to uphold include transparency, privacy, security, and accountability.
Transparent, clearly defined, documented, and accessible data management processes and policies promote trust and confidence in an agency’s ability to handle data responsibly and ethically.
Prioritising the protection of constituent or sensitive data and implementing privacy by design principles, ensures that data privacy is integrated into all aspects of an agency’s data management.
Implementing robust security measures to protect data from unauthorised access, disclosure, alteration, or destruction is also critical for government agencies. A comprehensive data security strategy should encompass policies, procedures, and technology solutions that address potential risks and mitigate vulnerabilities.
The roles of data processors and data controllers are central to accountability within data governance. A data controller is responsible for determining the purposes and means of processing data, while the data processor is responsible, on behalf of the data controller, for processing their data. In other words, the data controller is responsible for deciding what data to collect, how it will be used, and who it will be shared with, whilst the data controller might store or otherwise manipulate data on behalf of the controller – or data owner. Both the data controller and the data processor will have obligations under data legislation and regulations. For government, an agency as a customer of ServiceNow would be the data controller and ServiceNow would be considered a data processor.
To ensure compliance with data legislation and regulations when implementing ServiceNow, it is essential for agencies to comprehend and integrate these key data governance principles.

Information Management Legislation in Australia

Information Management for federal government in Australia is governed by a range of regulations, frameworks, and legislation, including Records Authorities, the Information Security Manual (ISM), the Protective Security Policy Framework (PSPF), the Privacy Act and the Archives Act.
These are designed to ensure the confidentiality, integrity, and availability of sensitive information, and to protect the privacy of individuals. It is important for government agencies to comply with these regulations when implementing ServiceNow – or any other technology platform for that matter, to manage government information.

Records Authorities
A records authority is an instrument that enables agencies to decide on the retention, destruction, or transfer of Australian Government data. These authorities help determine the duration for which records should be kept and grant permission for their destruction once the specified time has elapsed.
There are two prevalent types of records authorities for Australian Government agencies:

• Agency-specific records authorities, which pertain to the records an agency generates in connection with their distinct business functions; and
• General records authorities, which outline the requirements for retaining, destroying, and transferring records.

Information Security Manual
The Australian Cyber Security Centre (ACSC) produces the Information Security Manual (ISM). The ISM outlines a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and data from cyber threats.
The ISM presents as advice from the ACSC and includes principles and guidelines around strategic cyber security considerations and provides practical guidance on how an organisation can protect their data and systems from threats.

Protective Security Policy Framework
The Protective Security Policy Framework (PSPF) outlines the government’s protective security policies and assists entities in implementing these policies across various aspects, such as security governance and information security.
The framework aims to establish uniform, efficient, and effective protective security measures throughout the government. By doing so, it safeguards people, information, and assets from potential security threats and ensures the continuous delivery of Australian Government business operations.

Privacy Act
The Privacy Act 1988 was established to promote and safeguard the privacy of individuals, regulating how Australian Government agencies and certain other organisations handle personal information. The Privacy Act oversees the privacy aspects of data such as tax file numbers, and health and medical research.
Within the Privacy Act, the Australian Privacy Principles (APPs), cover:
• processing of personal information, and the standards for the collection, use, disclosure, and security of personal information
• obligations on agencies subject to the Privacy Act around access to personal information.

Archives Act and Archives Regulations
The Archives Act 1983 assigns responsibilities to agencies for:
• the destruction, transfer, or alteration of Commonwealth records;
• the transfer of records to the National Archives; and
• adherence to records management requirements.
The Archives Regulations mandate that Australian Government agencies maintain written documentation concerning:
• destruction of Commonwealth records;
• transfer of custody or ownership of Commonwealth records; and
• any damage to or alteration of Commonwealth records.

Other relevant legislation
There are additional pieces of legislation that include information management requirements that may apply to an agency and these include:
• Public Governance, Performance and Accountability (PGPA) Act 2013
• Commonwealth Procurement Rules (CPRs)
• Public Service Act 1999 and Public Service Regulations 1999
• Freedom of Information Act 1982
• Privacy Regulation 2013
• Fair Work Act 2009 and Fair Work Regulations 2009
• Electronic Transactions Act 1999 and Electronic Transactions Regulations 2000
• Crimes Act 1914
• Evidence Act 1995
This is not a complete list of all federal legislation that deals with information management and does not include specific laws that have been implemented for agencies with unique business or regulatory functions.
Depending on the scope of the data that an agency intends to maintain within a ServiceNow environment, careful consideration of these legislative requirements will be necessary.

Pre-Implementation Considerations

Before implementing ServiceNow, government agencies should consider the following to set themselves up for a successful deployment in relation to data management.

Data Classification
Agencies should consider data classification requirements for the full dataset that is intended to be maintained within a ServiceNow environment.
For example, multiple agencies have in the past considered that an aggregated Configuration Management Database (CMDB) that can support the entirety of their IT operations may in fact be considered to have greater sensitivity than the intended hosting model for ServiceNow (i.e. OFFICIAL vs PROTECTED).

Risk Assessment
Agencies obviously should conduct risk assessments to identify potential security risks and vulnerabilities associated with their intended use of ServiceNow. These assessments should include evaluating the types of data being stored and processed, potential threats to data privacy and security, and possible vulnerabilities or attack vectors.
By identifying and addressing these risks, agencies can proactively implement appropriate security measures and controls to mitigate potential issues and maintain compliance with relevant regulations.

Security Controls
Consideration should be given to additional security controls that ServiceNow can provide over and above the baseline that is available. This includes controls such as data at rest encryption options and VPN connectivity from ServiceNow’s cloud to an agency’s internet-facing API gateway.

Support Requirements
Agencies should ensure that any support arrangements with ServiceNow include appropriate guardrails if access to an agency’s environment is required by ServiceNow to provide technical support. ServiceNow has processes in-place to support agencies in this regard and agencies should make themselves aware of these.

Insight

Fostering a culture of data governance involves promoting awareness and adherence to its principles across the organisation. This can be achieved through training, defining roles, implementing policies, and encouraging communication around the way data is treated.
A strong data governance culture will help ensure responsible information management, improved decision-making, and compliance.

Configure for Defence in Depth

The ServiceNow platform has highly configurable and contextual security mechanisms that provide layered protection when configured appropriately. The following key areas should be addressed to ensure that ServiceNow is configured for compliance.

Access and Permissions
ServiceNow should be configured to ensure that only authorised users have access to sensitive data. Each new release of ServiceNow brings more options for securing access to data within a ServiceNow instance. ServiceNow provides pre- and post-authentication techniques that can restrict access to data based on a user’s attributes or IP address. Once a user is authenticated, mechanisms such as access controls and data filtration, classification and anonymisation can further inhibit data visibility. Importantly, these controls can be applied to both human and machine users.

Data Retention, Disposal and Transfer
ServiceNow should be configured to support appropriate data retention and disposal practices in accordance with applicable regulations. For data retention and disposal, this could be as simple as managing update and deletion privileges, as ServiceNow data is retained by default.
For the transfer of data, and to support data loss prevention, consideration must be given to rules around exports that users can trigger and integrations that allow access to data within ServiceNow. This also should include implementing policy around notifications that are sent from ServiceNow – include only enough information that is required to give context and provide a link back to ServiceNow so that when the information is accessed the user can be authenticated and the data access event can be audited.

Insight

Consider implementing business rules within ServiceNow to support information management compliance. ServiceNow’s Decision Tables functionality can help to ensure that data is managed in accordance with applicable legislation, by automating data manipulation or transfer activities based on predefined rules and logic.

By implementing these business rules in workflows, agencies can achieve more consistent and accurate data management, ultimately providing better compliance with legislative and regulatory requirements and safeguarding sensitive information.

Logging, Monitoring and Reporting
ServiceNow should be monitored, and data handling practices reported on to ensure compliance. All the log data generated by ServiceNow is accessible, to suitably privileged users, and this can be used to monitor access to data within an instance. It should be noted that some of this data is overwritten periodically in order to maintain performance, however, to alleviate this, near real time log extraction from ServiceNow can be configured for ingestion into a Security Information and Event Management (SIEM) tool.

Ongoing Audit and Assessment

Post implementation, to maintain ongoing compliance, agencies should conduct regular audits to assess their use of ServiceNow. The following are key areas where regular auditing and assessment policies and procedures should be in-place and followed.
Data Privacy and Security
Agencies should routinely assess their data privacy and security practices, ensuring that they align with updates to legislation and leading practices. This includes reviewing data protection measures, encryption, and monitoring for any potential breaches or vulnerabilities.
Access Controls and Permissions
Regular audits should be conducted to verify that access controls and permissions are configured correctly and consistently maintained. This ensures that only authorised users can access sensitive data.
Data Handling and Processing
Assessments should be performed to monitor that data handling and processing procedures remain compliant. These could include:

monitoring data quality for accuracy, consistency, and completeness;

conducting integrity checks to confirm data remains unaltered and intact throughout its lifecycle during storage, processing, and transfer; and

evaluating the legitimacy of data processing activities for risks and compliance issues associated with data manipulation or transfer.

Incident Management and Reporting
Regular audits of incident management and reporting procedures should be conducted to ensure that agencies are prepared to respond effectively to security breaches or other data loss events. This includes evaluating the effectiveness of incident response plans and verifying that reporting procedures follow leading practices and legislation.

Insight

Measure compliance by treating your data as you would any other asset by creating Key Performance Indicators to assess compliance.

-	Data Stewardship: The percentage of data elements with assigned data owners.
-	Data Security Incidents: The number of data security incidents reported and resolved.
-	Data Architecture Alignment: The percentage of data elements aligned with your agency’s data architecture.

By conducting regular audits and assessments and having robust incident management and reporting procedures in place, agencies can help to ensure ongoing compliance with data legislation when using ServiceNow.

A Note on ServiceNow Compliance

As the service provider, ServiceNow is committed to ensuring the privacy and security of personal data processed on behalf of its customers and has implemented a range of policies and procedures to support this commitment. These policies cover data handling practices, including data privacy and security, data processing, and data retention and disposal. These policies are available from ServiceNow CORE, which is a self-service portal that provides ServiceNow customers, and agencies considering ServiceNow, with documentation to help address regulatory questions relating to ServiceNow.
ServiceNow’s services available to Australian government agencies have been IRAP assessed to meet the ISM controls for OFFICIAL and PROTECTED.

Conclusion

As data legislation and regulations continue to evolve, government agencies must remain vigilant in the maintenance of their data governance compliance. Agencies should regularly review their use of ServiceNow and adjust policies and procedures as and when necessary.
To ensure compliance with Australian data legislation when implementing ServiceNow and afterwards, government agencies should consider the following recommendations:

1. Conduct risk assessments and implement appropriate security controls.
2. Ensure sufficient and up to date documentation is in place to support compliance.
3. Implement suitable data classification and handling policies and procedures.
4. Configure ServiceNow data management rules to support ongoing compliance.
5. Conduct regular auditing and assessments and establish key performance indicators.
6. Implement incident management and reporting procedures in place to respond to security breaches or other data loss events.

By following these recommendations and reacting to any future data governance requirements, federal government agencies can help to ensure that they are using ServiceNow in compliance with any relevant legislation.
This will help to ensure the confidentiality, integrity, and availability of sensitive information, and ultimately aid in both trust in government and the protection of government data.

References

Powerful transformation within a protected environment
ServiceNow
https://your.servicenow.com/spp

Information Management
National Archives of Australia
https://www.naa.gov.au/information-management

Protective Security Policy Framework
Attorney-General’s Department
https://www.protectivesecurity.gov.au/

Information Security Manual
Australian Cyber Security Centre
https://www.cyber.gov.au/acsc/view-all-content/ism